Data breaches have started to transform the way large UK companies explain investor risk when writing annual reports, research by security firm Trustwave has found.
According to an informal analysis by managing consultant Tom Neaves, only a quarter of FTSE 100 companies failed to mention cyber-security risks such as serious data breaches inside their annual reports up to 2014.
Neaves counted mentions if the topic was referenced in commentary or in a specific ‘risks and uncertainties’ section.
It could be argued that this is an obvious point. Data breaches – or the realisation such events are now a mainstream worry – has embedded itself inside business culture. However, the rate of awareness has rocketed in only two years, growing from 49 percent in 2012 to 60 percent in 2013, and 76 percent by 2014.
At this rate, every FTSE 100 firm (and possibly many beyond that sector) will be foregrounding the potential for trouble within two years, possibly less, a startling change in only a handful of years.
And Neaves is in no doubt that it is breaches that have changed the minds of the report writers and the managements that employ them.
“As we have seen from the string of breaches during the past 12 months and beyond, breaches are like a tornado: They spare no victim in their path, from the CEO to the IT team to employees to customers,” he wrote in a media note.
The increase held true across all industries although some such as oil and gas seem to have reached a ceiling in 2013 and 2014 of 85 percent mentions in both years.
“Whatever the reason, the increased awareness about cyber security at the board level is a step in the right direction,” said Neaves.
Three years ago, Trustwave bought half-British security firm M86 Security for an undisclosed sum. More recently, the firm was sued for allegedly failing to protect customer data during the notorious Target data breach of 2013, a claim later described as "baseless" by Trustwave CEO, Robert J McCullen.